Update: In Adguard turn the blocking method to NXDOMAIN so it won’t give this error. It still gives a warning that “you’re using a VPN”. Edit: I am on iOS 26.
Broader Context: All Indian Banking apps have been instructed to not allow the use of VPN slot while using a banking app. The Central Bank has also ordered to disallow usage if Developers Options are turned on. Apart from that globally all banking apps require Google Play Services and Boot-loader to be locked. I also found on some reddit post that they are not allowing the use of a 5 year old + phones for banking.
Blocking or allowing domains should not mess up SSL. Is there anything else filtering or intercepting the trafic ?
Nope when I turn off Adguard DNS implementation (which uses the phone’s VPN slot), the app works normally.
What’s configured for blocked domains? If you answer with a custom IP the SSL won’t match the domain name. Try nxdomain instead.
It was on default (i.e 0.0.0.0). Switching to NXDOMAIN worked. Thanks.
Don’t delete your post, update it with the proper info so others know the fix in the future
Yep did that just now. Also added a context.
deleted by creator
Why would they delete it? It’s good info for anyone else who may run into the same situation.
Usually DNSBL will do this, yes.
“Network with invalid server certificate” lol wtf is that supposed to mean?
It means they know the hash or whatever for their cert, and intentionally fail if there’s any kind of MITM funkiness (which you’d have for an ad blocker doing https intercept)
It could also be that the app is looking at parameters other than the hash (which would probably be that of the certificate authority rather than the domain’s certificate), like the CN, which is potentially fakeble. You can also try to mess with the APK file, maybe find the strings associated with the certificate check and replace them. I won’t fault the app’s authors for making such a check though, MITM is so easy to do without certificate validation.
Maybe I do not understand the vector here, but I think you should be able to use a DNS filter log, like a whitelist firewall. Use the log to see what servers are blocked when you try to open the app. Then just whitelist those servers.
The proper argument is not for Ad Block. That is just a lazy hack. The proper argument is that you have a right to a front door on your home – a digital front door, a right to lock it, and a right to decide who may enter your home. This is what a DNS whitelist filter does. If you are not allowed to use a DNS whitelist, your home has had the door ripped off and are being forced to allow stalkers, thieves, and slavers into your home to manipulate and exploit you. Never talk about ad block. That is politically irrelevant. I do not care if the lock on your front door in the real world has great pick resistance. It is just as much a symbol as it is a device. The primary reason for losing rights is from people failing to argue well, and understand their rights like this. I am one of the few people that does DNS the hard way and run a whitelist filter.
All the blocked requests are app analytics and trackers. Whitelisting them will defeat the purpose. I might just switch to Google Pay’s UPI rather than fighting the government app or just use cash.
Also using DNS filters in a whitelist mode is very inefficient and defeats the purpose of using the internet. I don’t want to make a fool of myself in front of my friends when I am unable to figure out which domains does the restaurant’s digital menu uses so I can go and whitelist them.
You have multiple devices and networks.
Please cross-post to a privacy community. Ultimately, this sounds like it’s going to produce a situation where a dumbphone that allows for hotspots and them a smartphone without UPI or a SIM and with a VPN are a workable solution.
Which app is this? BHIM?
It literally says that in the screenshot
